Skip to main content

Hackers use Congressman’s iPhone to demo ability to listen into calls, monitor texts, track location [Updated]

CBS correspondent Sharyn Alfonsi, left, with hacker Karsten Nohl

CBS correspondent Sharyn Alfonsi, left, with hacker Karsten Nohl

Update: Rep. Ted Lieu has now written to the Chairman of the House Committee on Oversight and Government Reform requesting a formal investigation into the vulnerability. In his letter, the Congressman says that the flaw threatens ‘personal privacy, economic competitiveness and U.S. national security.’ The full text of his letter can be found at the bottom of the piece.

Apple may take iOS security so seriously that it’s willing to do battle with the FBI over it, but German hackers have demonstrated that all phones – even iPhones – are susceptible to a mobile network vulnerability that requires nothing more than knowing your phone number. Armed with just that, hackers can listen to your calls, read your texts and track your position.

60 Minutes invited the hackers to prove their claims by giving a brand new iPhone to Congressman Ted Lieu – who agreed to participate in the test – and telling the hackers nothing more than the phone number. The hackers later replayed recordings they’d made of calls made on that iPhone …

They were able to do it by exploiting a security flaw they discovered in Signaling System Seven or SS7 […] The SS7 network is the heart of the worldwide mobile phone system. Phone companies use SS7 to exchange billing information. Billions of calls and text messages travel through its arteries daily. It is also the network that allows phones to roam.

Karsten Nohl, a German hacker, with a doctorate in computer engineering from the University of Virginia, carried out the demonstration from a hacking conference in Berlin. In addition to recording calls and texts, he also demonstrated that he was able to track the Congressman’s location, even with the iPhone’s GPS turned off, using cellphone tower triangulation. Additionally, he was able to log the phone number of everyone who called the phone. None of this required any ability to access the iPhone itself, only the mobile networks.

Rep. Ted Lieu said that he was shocked by what the hackers had been able to achieve.

Last year, the president of the United States called me on my cellphone. And we discussed some issues. So if the hackers were listening in, they would know that phone conversation [and the President’s mobile number]. And that’s immensely troubling.

Nohl said that the SS7 vulnerability was well-known in some quarters, and that there was a reason it hasn’t yet been fixed.

The ability to intercept cellphone calls through the SS7 network is an open secret among the world’s intelligence agencies — -including ours — and they don’t necessarily want that hole plugged.

Lieu said that this was totally unacceptable.

The people who knew about this flaw and saying that should be fired. You cannot have 300-some million Americans – and really, right, the global citizenry – be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable.

While the court battle between Apple and the FBI is over, they will again face off in Congress tomorrow. Apple general counsel Bruce Sewell and FBI executive assistant director Amy Hess will testify on separate panels before House Energy and Commerce subcommittee. Separately, two members of the Senate Intelligence Committee have proposed a bill to force tech companies to decrypt devices for law enforcement, though one Senator has vowed to block the legislation with a filibuster.

letter

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. kpom1 - 8 years ago

    So who is responsible for SS7 and how does this vulnerability get fixed?

    • Clem - 8 years ago

      If you listened to the whole article, it won’t be fixed. govt’s use this to *their* advantage to track bad guys.

      • JBDragon - 8 years ago

        They may use it for that, but I’m sure they’re using it to spy on the general population and really, anyone they feel like. You can’t catch a terrorists after the fact and their dead along with the people they killed. That means you spy on everyone in the hope of finding a terrorist before hand. At least that’s how they’ll justify it.

  2. iphonenick (@iphonenick) - 8 years ago

    I’ve read about this vulnerability before. The threat isn’t limited to iPhones. All mobile phones are affected. iMessages, which bypass SS7 are likely immune.

    One way to compensate for the weaknesses of SS7 is for Apple to become a private carrier that bypasses SS7 for direct iPhone to iPhone communications. They have the money to develop something in-house.

    • Ivan - 8 years ago

      I’ve been wanting an Apple cell network since they came out with the Apple Sim. They can totally do it and they would be able to use current technology to create a new network that might be better compared to the antiquated cell network we use here in the states.

    • gregonaut - 8 years ago

      Here’s another way to bypass it: use FaceTime audio or video, that should be encrypted along with iMessage.

      • jacosta45 - 8 years ago

        I support this but for people who don’t use those services… they’re kinda fucked.

      • iphonenick (@iphonenick) - 8 years ago

        My family and some friends are already using FaceTime audio. No need to worry about long distance charges and tracking talk minutes.

  3. PhilBoogie - 8 years ago

    1) Good thing this has nothing to do with the iPhone, or iOS.
    2) Fortunately the congressman gets the point just fine.
    3) I wonder if John thinks this is perfectly fine thoughÂż

    • 89p13 - 8 years ago

      I’m sure John is really pissed that this vulnerability of the Carriers has been shown on network television. And I totally agree with your first 2 statements. I’m also glad that the story showed the reporter’s phone to NOT be an iPhone – just to demonstrate that this one is not on the cellphone manufacturers or any O/S – It’s the carrier networks who are bleeding this data.

      Let’s see if the sheeples raise up and revolt – or they just say “Doesn’t affect me.”

      • I’ve heard far too many people who just don’t give a sh*t. They are too busy with their lives and mind numbing TV to give f*ck! They say they’re doing it anyway and I don’t have anything to hide as if that is a justification for them accessing our private data without due process. Privacy has been snatched away from the people and no one cares.

    • John Smith - 8 years ago

      PhilBogie – John thinks the same thing as always: too much attention being directed at keeping the FBI out of my phone, not enough attention being applied to keeping hackers out of my phone.

      • srgmac - 8 years ago

        The line you are creating between the two exists only in your small mind!

      • flaviosuave - 8 years ago

        “too much attention being directed at keeping the FBI out of my phone, not enough attention being applied to keeping hackers out of my phone”

        Except the solution to both things is one-and-the-same, you moron.

    • Brian - 8 years ago

      True, it has nothing to do with iPhone, but the self-serving hackers on the story and 60 Minutes made it sound like an iPhone thing. Also, the hackers were white hats who HAD FULL ACCESS to the network, and were working for the network. So, it’s not as if just any hacker has this.

      The lies that were promulgated on the story were whoppers. They said ‘all phones are the same’ –NOT TRUE. But WRT to this particular hack it doesn’t matter since they are hacking the NETWORK and not the phone. But, they made every attempt to put Android on the save level as iPhone, which I think is disingenuous, frankly.

  4. rob nienburg (@robogobo) - 8 years ago

    Bullshit. They hacked the telecom networks, not the iPhone. That’s on the network providers to fix. Move along, nothing to see here.

    • PhilBoogie - 8 years ago

      Read the article again please, in order to see that it doesn’t say the iPhone was hacked.

      • Neil Billingham - 8 years ago

        True and to be fair to CBS/60 minutes their article is called ‘Hacking Your Phone’ not iPhone

      • Read the headline – it’s disingenuous click-bait.

      • Brian - 8 years ago

        No, but they specifically mentioned the iPhone SEVERAL TIMES before later saying that ‘all phones are the same’ and then when the hack was demonstrated, it was an Android they were hacking (in the first bit and not the congressperson’s iPhone. For that, they had malware installed on it. That is hardly a fair test or a valid comparison.

    • Ben Lovejoy - 8 years ago

      Um, that’s exactly what the report says. But I’m not sure most people would agree there’s “nothing to see here” …

      • The headline is disingenuous however as it says the “hackers use congressman’s iphone” – they did nothing of the sort.

      • Ben Lovejoy - 8 years ago

        It says ‘Hackers use Congressman’s iPhone to demo ability to listen into calls, monitor texts, track location’ – which is exactly what they did.

      • Ben, seriously, don’t argue this with your readership. Your headline is bullshit, just admit it and change it. The hackers used the network, they didn’t need to know at all which phone the congressman had. The fact he was given an iPhone is totally irrelevant to the report. None of your quotes even mention iPhone at all.

      • Ben Lovejoy - 8 years ago

        I shall certainly take your advice to cease debating the matter with you at this stage; I think the piece is perfectly clear, you don’t. We’ll have to agree to disagree.

      • In your own words “and telling the hackers nothing more than the phone number” – so the hackers had no idea what kind of phone the congressman had. So point of fact, they absolutely (in no way, shape or form) used the congressman’s phone.

      • Ben Lovejoy - 8 years ago

        The demonstration used his phone. I don’t think think anyone is left confused about what happened.

      • Brian - 8 years ago

        IT seems like click bait to me. The general public is going to attribute this to the iPhone. They MOSTLY used iPhones in the story. VERY FEW will notice that is was actually a network flaw, only available to the networks and white hat hackers they employed and provide access to.

        For instance, the bit where they activate the camera? That was an ANDROID. An iPhone would have required that you allow access to the camera for ANY APP, unless the hacker had possession of an unlocked phone to somehow modify the OS.

  5. Gregory Wright - 8 years ago

    Maybe the telecoms have fixed this vulnerability but in years past anyone who purchased a police scanner could listen to police radio calls simply by entering the agency channel frequency numbers. News agencies do it all the time. These scanners also enabled one to listen to cell phone traffic if the scanner was within range of the tower transmitting the signal. I wonder how different is this discovery from methods used in the past.

    • John Samchance - 8 years ago

      There is NO Police Scanner that will intercept modern
      day cell phones .

      • srgmac - 8 years ago

        Stingray…?

    • 89p13 - 8 years ago

      When the television news reports have footage, many of them show the audio is coming from a service that does exactly this – but I can’t remember the name of the organization.

  6. luckydcxx - 8 years ago

    Another reason to use FaceTime audio

    • Or any other form of VOIP. Killing the traditional voice network would be better than trying to fix whatever issues exist here at the root of the telecom backbone.

      • ** Caveat: so long as the voip traffic is encrypted as if it’s not there’s still room for interception and playback.

  7. Grayson Mixon - 8 years ago

    This makes me think that a priority for Apple would figuring out a way to hook up an interface on their servers to the traditional phone system so that FaceTime Audio calls could be made to all phones, even land lines.

    That would make it so that no one monitoring your phone could see who you are calling or could intercept the conversation, because it would be encrypted between your phone and Apple’s servers.

    They could still potentially tap the conversation on the other person’s end, if they aren’t using an iPhone, but that would require them to know who you are calling to set up a tap on the other end.

    The same thing could be done for SMS.

    People talk about Apple setting up an MVNO. What if they just made it so that they use the carriers’ data connection, but all iPhones out there suddenly stop having any calls or text messages and work as data only devices?

    • VOIP is not a priority at Apple and won’t be so long as they rely on carriers to host the networks their products run on – and carrier partners to help sell the products.

      • Grayson Mixon - 8 years ago

        They do have VOIP in the form of FaceTime Audio. They just don’t have an interface to translate that to the traditional phone network. And it would still go over your carrier’s phone system, just not directly from your phone.

        So, for example, FaceTime Audio works like this:
        iPhone->FaceTime Audio data over carrier (encrypted)->Apple servers->FaceTime Audio data over carrier (encrypted)->iPhone

        An ideal system using FaceTime Audio for all calls would be like this:
        iPhone->FaceTime Audio data over carrier (encrypted)->Apple servers->Traditional phone system over your carrier (unencrypted)->Any phone

        It has the advantage that it is much harder to tap your phone individually. They would have to tap the phone on the other end to listen in on the call, or tap your carrier’s servers.

  8. Jake Becker - 8 years ago

    They start caring a whole lot when it happens to them!

  9. celitan - 8 years ago

    So, question is:
    Would this have made the news headline if they would have given the congressman a nokia 3320? Or a Nexus or…

    While reading the article, I fully understand that this is a carrier/network issue and can be done with any phone, the average joe reads the headline and remembers: “iPhone hacked”.
    I really would expect a better reporting of the issue.

    • Ben Lovejoy - 8 years ago

      9to5Mac doesn’t really have an ‘average Joe’ readership. It’s a technology site, and I like to think most read more than the headline.

      • Grayson Mixon - 8 years ago

        You know, Ben, I think this whole “telephone” thing is a fad. Hand written letters will endure the test of time, not some fancy gizmo that all these youngsters are using.

      • Ben Lovejoy - 8 years ago

        I’m currently testing a keyboard that thinks it’s a typewriter …

  10. rawbob - 8 years ago

    You should have mentioned that the folks at Security Research Labs have *legal* access to an SS7 portal. And that’s not so easy to get. But that wouldn’t make for such a good story, would it? (It was mentioned in the 60 Minutes piece, but not emphasized for the same reason.)

    • Ben Lovejoy - 8 years ago

      To be clear, they asked permission, so that they wouldn’t be breaking the law, but were in no way assisted to gain access.

      • Brian - 8 years ago

        COMPLETELY FALSE BEN, according to the hastily mentioned detail in the 60 minutes ‘story’.

      • Ben Lovejoy - 8 years ago

        If you have a link to the contrary, I’ll read it with interest. This was an exploit they discovered on their own, and only sought permission to demonstrate it.

  11. John Smith - 8 years ago

    This isn’t a new exploit – it’s just new to americans.

    And there’s at least two other well known issues with the globally standardised protocols.

    I don’t see anyone picking up on one of the biggest implications of the article: if you are using any systems which send ‘forgot my password’ reset codes by SMS then think it through a minute. People in Europe are already loosing control of email accounts and then bank accounts on this one.

    Apple is not responsible for this – these protocols are by international agreement so that people’s phones work across the world – but Apple are major players in those international decision making groups.

    While Apple spends all it’s attention on protecting me from the FBI – a fantasy threat for ordinary people – I really need more attention paying to the real threats normal people are facing.

    See you again next week for the next ‘how to hack those impregnable phones’ foul up 9-5 Mac discusses.

    • Brian - 8 years ago

      So, its’ new to the country where the phone was invented, and also the first country to start hacking it. Good to know.

  12. Marc Orcutt - 8 years ago

    How were texts intercepted (or “monitored” as the article states)? I’m assuming these were just SMS messages to other non-iPhone users as Apple’s iMessage service is encrypted and wouldn’t (or shouldn’t be) susceptible to this type of attack. SS7 attack has been known for a long time and I agree with the article – there is little interest in fixing it as, at least in the US, it (combined with other techniques, such as fake cell service towers) is considered a critical tool to tracking criminal activity. Well, at least we’re led to believe that it is criminal activity that is being tracked. But hey, where can you go wrong trading rights and freedom in exchange for perceived security….

  13. k0jeg - 8 years ago

    This is yet another problem with maintaining backwards compatibility. There’s really no reason to continue using SS7 and the legacy 10 digit dialing system other than because that’s the way it’s always been. Why would a phone made in 1950 be expected to work today, except maybe in a museum display? Many modern phone networks use some form of VoIP, even large chunks of the legacy wireline network.

  14. srgmac - 8 years ago

    Ted Lieu is a good guy; I don’t agree with his stance on drugs BUT I still think he has a pretty sound head on his shoulders on most other issues.

  15. Lawrence Krupp - 8 years ago

    SS7 handles the traditional landline telephone network as well. It was originally developed to replace the traditional in-band signaling network that made hackers like John Draper (Captain Crunch) and Steve Wozniak famous for the their “blue boxes” and whistles that tricked the telephone network into routing calls for free. Since the SS7 network was out-of-band on a separate network that made those blue boxes and whistles useless.

  16. Thelonious Mac - 8 years ago

    It’s not a secret anymore dammit!

  17. More about this SS7 wanted bug :-)

    here (Tobias Engel)

    https://www.youtube.com/watch?v=lQ0I5tl0YLY

    and here (Karten Nohl)

    https://www.youtube.com/watch?v=GeCkO0fWWqc

  18. darwiniandude - 8 years ago

    Use iMessage. Use Facetime Audio calls. Let’s hope iCloud backups get encrypted at WWDC.

  19. Single Dad - 8 years ago

    The issue is interesting in itself but it’s not news (except to Congress apparently).

    The mention of an iPhone as a headline is–at best–a distraction as the brand of phone has nothing at all to do with the surveillance capability.

    Fixing this is a Big Problem because the network technology (which is what is being ‘hacked’, not any specific phone) is ubiquitous around the world.

  20. George Elliot - 8 years ago

    Genius Hack for email hack, school grades, servers and database, phones and phone calls, credit cards, etc. reach him via (724) 471-0057

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear